Security Advisory Notice
Note
This page has been archived as of October 15, 2020. Going forward, security advisories related to Avi Vantage (now VMware NSX Advanced Load Balancer, NSX ALB) will be available at the VMware Security Advisories page.
This article highlights the security vulnerabilities, the associated CVEs, and the version of Avi Vantage in which they are addressed.
These vulnerabilities are found in the third party library or software used by the Avi Vantage product. Most of these vulnerabilities are associated with multiple CVEs. Each CVE is assigned a priority by the vendor. Avi determines the priority of the component/vulnerability based on the highest priority assigned to the CVEs and expects the respective vendor to develop, test, and release the security patch. Once the security patch is released by the vendor, Avi will resolve the vulnerability within the following timeframe:
- High priority — Within two weeks of the security patch release.
- Medium and low priority — Within the following quarter of the security patch release. For instance, if the security patch was released by the vendor in Q1, Avi will resolve the vulnerability by including the security patch in the product by the Q2 timeframe.
All these vulnerabilities will be resolved by including the vendor provided security patch in either the periodic maintenance release or a Avi Vantage software patch.
| Component | Description | Priority | Related CVEs | Links | Resolved from | Avi Security Bulletins |
|---|---|---|---|---|---|---|
| Cyrus SASL | Vulnerability in the `cyrus-sasl` library | Low | CVE-2019-19906 | Avi Vantage is not impacted | ||
| NSS Stack | Vulnerability in certain apps incorrectly using crypto APIs in the NSS stack | Low | CVE-2019-11745 | Avi Vantage is not impacted.
|
||
| ModSecurity | DoS Vulnerability in ModSecurity | Low | CVE-2020-15598 | Avi Vantage is not impacted | ||
| OpenSSL | Raccoon Attack | Low | CVE-2020-1968 | Avi Vantage is not impacted | ||
| OpenSSL | Segmentation fault in SSL_check_chain | High | CVE-2020-1967 | Avi Vantage is not impacted | ||
| Linux kernel vulnerabilities | SACK panic | High | CVE-2019-11477 | USN-4017-1 | 18.2.8 | |
| Linux kernel vulnerabilities | SACK slowness (Linux < 4.15) or excess resource usage (all Linux versions) | High | CVE-2019-11478 | USN-4017-1 | 18.2.8 | |
| FreeBSD Vulnerability | SACK Slowness (FreeBSD 12 using the RACK TCP Stack) | Medium | CVE-2019-11815 | No patches required. See [B] | ||
| Linux kernel vulnerabilities | Excess resource consumption due to low MSS values (all Linux versions) | Medium | CVE-2019-11479 | 18.2.8 | ||
| Linux kernel (Azure) vulnerabilities | Several security issues were fixed in the Linux kernel. | Low |
CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10882 CVE-2018-10883 CVE-2018-14625 CVE-2018-16882 CVE-2018-17972 CVE-2018-18281 CVE-2018-19407 CVE-2018-9516 |
USN-3871-5 | 18.2.2 17.2.15 |
|
| OpenSSH vulnerabilities | Several security issues were fixed in OpenSSH. | Low |
CVE-2018-20685 CVE-2019-6109 CVE-2019-6111 |
USN-3885-1 | 18.2.2 17.2.15 |
|
| Linux kernel vulnerabilities | Several security issues were fixed in the Linux kernel. | Low |
CVE-2018-1066 CVE-2018-17972 CVE-2018-18281 CVE-2018-9568 |
USN-3880-1 | 18.2.2 17.2.15 |
|
| Linux kernel (Xenial HWE) vulnerabilities | Several security issues were fixed in the Linux kernel. | Low |
CVE-2018-10883 CVE-2018-16862 CVE-2018-19407 CVE-2018-19824 CVE-2018-20169 |
USN-3879-2 | 18.2.2 17.2.15 |
|
| Django vulnerability | Django could be made to expose spoofed information over the network. | Low |
CVE-2019-3498 |
USN-3851-1 | 18.2.1 17.2.15 |
|
| Linux kernel (Xenial HWE) vulnerabilities | Several security issues were fixed in the Linux kernel. | Low |
CVE-2017-18174 CVE-2018-12896 CVE-2018-18690 CVE-2018-18710 |
USN-3848-2 | 18.1.5 | |
| Linux kernel vulnerabilities | Several security issues were fixed in the Linux kernel. | Low |
CVE-2017-2647 CVE-2018-10902 CVE-2018-12896 CVE-2018-14734 CVE-2018-16276 CVE-2018-18386 CVE-2018-18690 CVE-2018-18710 |
USN-3849-1 | 18.1.5 | |
| Linux kernel (Azure) vulnerabilities | Several security issues were fixed in the Linux kernel. | Low |
CVE-2018-10902 CVE-2018-12896 CVE-2018-14734 CVE-2018-16276 CVE-2018-18445 CVE-2018-18690 CVE-2018-18710 |
USN-3847-3 | 18.1.5 | |
| lxml vulnerability | lxml could allow cross-site scripting (XSS) attacks. | Low | CVE-2018-19787 | USN-3841-1 | 18.1.5 17.2.14 |
|
| OpenSSL vulnerabilities | Several security issues were fixed in OpenSSL. | Low | CVE-2018-0734 CVE-2018-0735 CVE-2018-5407 |
USN-3840-1 | 18.1.5 17.2.14 |
|
| libssh regression | USN-3795-1 and USN-3795-2 introduced a regression in libssh. | Low | USN-3795-3 | 18.1.5 17.2.14 |
||
| OpenSSL vulnerabilities | Several security issues were fixed in OpenSSL. | Low |
CVE-2018-0495 CVE-2018-0732 CVE-2018-0737 |
USN-3692-1 | 18.1.2 17.2.12 |
|
| OpenJDK 7 vulnerabilities | Several security issues were fixed in OpenJDK 7. | Medium |
CVE-2018-2790 CVE-2018-2794 CVE-2018-2795 CVE-2018-2796 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2800 CVE-2018-2814 CVE-2018-2815 |
USN-3691-1 | 17.2.12 | |
| Libgcrypt vulnerability | Libgcrypt could be made to expose sensitive information. | Low | CVE-2018-0495 | USN-3689-1 | 17.2.11 18.1.2 |
|
| GnuPG vulnerabilities | Several security issues were fixed in GnuPG. | Medium |
CVE-2018-12020 CVE-2018-9234 |
USN-3675-1 | 17.2.12 18.1.2 |
|
| elfutils vulnerabilities | elfutils could be made to crash or consume resources if it opened a specially crafted file. | Medium |
CVE-2016-10254 CVE-2016-10255 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 |
USN-3670-1 | 17.2.11 18.1.2 |
|
| Linux kernel vulnerabilities | Several security issues were addressed in the Linux kernel. | Medium |
CVE-2017-12134 CVE-2017-13220 CVE-2017-13305 CVE-2017-17449 CVE-2017-18079 CVE-2017-18203 CVE-2017-18204 CVE-2017-18208 CVE-2017-18221 CVE-2018-3639 CVE-2018-8822 |
USN-3655-1 | 17.2.11 | |
| curl vulnerabilities | Several security issues were fixed in curl. | Medium |
CVE-2018-1000300 CVE-2018-1000301 |
USN-3648-1 | 17.2.11 | |
| Patch vulnerabilities | Several security issues were fixed in Patch. | Medium |
CVE-2016-10713
CVE-2018-1000156 CVE-2018-6951 |
USN-3624-1 | 17.2.9 | |
| Python Crypto vulnerability | Python Crypto could expose sensitive information. | Medium | CVE-2018-6594 | USN-3616-1 | 17.2.10 | |
| OpenSSL vulnerability | OpenSSL could be made to crash if it received specially crafted network traffic. | Medium | CVE-2018-0739 | USN-3611-1 | 17.2.8 | |
| Twisted vulnerability | Twisted could be made to run programs if it received specially crafted network traffic. | Low | CVE-2016-1000111 | USN-3585-1 | 17.2.8 | |
| DHCP vulnerabilities | Several security issues were fixed in DHCP. | Medium |
CVE-2016-2774 CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
USN-3586-1 | 17.2.8 | |
| linux - Linux kernel | Several security issues were addressed in the Linux kernel. | High |
CVE-2017-5715 CVE-2017-5753 Ubuntu Wiki Spectre and Meltdown |
USN-3542-1 | 17.2.6 | Spectre and Meltdown |
| openssh - secure shell (SSH) for secure access to remote machines | Several security issues were fixed in OpenSSH. | Low |
CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 CVE-2017-15906 |
USN-3538-1 | 17.2.6 | |
| eglibc - GNU C Library,glibc - GNU C Library | Several security issues were fixed in the GNU C library. | High |
CVE-2017-1000408 CVE-2017-1000409 CVE-2017-15670 CVE-2017-15804 CVE-2017-16997 CVE-2017-17426 CVE-2018-1000001 |
USN-3534-1 | 17.2.6 | |
| linux - Linux kernel | Several security issues were fixed in the Linux kernel. | High | CVE-2017-5754 | USN-3524-1 | 17.2.6 | Spectre and Meltdown |
| curl - HTTP, HTTPS, and FTP client and client libraries | curl could be made to crash or run programs if it received speciallycrafted network traffic. | Medium | CVE-2017-1000257 | USN-3457-1 | 17.1.13 | |
| curl - HTTP, HTTPS, and FTP client and client libraries | Several security issues were fixed in curl. | Medium | CVE-2016-9586 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-7407 |
USN-3441-1 | 17.1.13 | |
| eglibc - GNU C Library,glibc - GNU C Library | Several security issues were fixed in the GNU C Library. | Medium |
CVE-2015-5180 CVE-2015-8982 CVE-2015-8983 CVE-2015-8984 CVE-2016-1234 CVE-2016-3706 CVE-2016-4429 CVE-2016-5417 CVE-2016-6323 |
USN-3239-1 | 16.4.3 | |
| gnutls26 - GNU TLS library | GnuTLS could be made to hang if it received specially crafted networktraffic. | Low |
CVE-2016-8610 |
USN-3183-2 | 16.4.3 | |
| curl - HTTP, HTTPS, and FTP client and client libraries | Several security issues were fixed in curl. | Medium |
CVE-2016-7141 CVE-2016-7167 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 |
USN-3123-1 | 16.3 | |
| ntp - Network Time Protocol daemon and utility programs | Several security issues were fixed in NTP. | Medium |
CVE-2015-7973 CVE-2015-7974 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8138 CVE-2015-8158 CVE-2016-0727 CVE-2016-1547 CVE-2016-1548 CVE-2016-1550 CVE-2016-2516 CVE-2016-2518 CVE-2016-4954 CVE-2016-4955 CVE-2016-4956 |
USN-3096-1 | 16.2.4 | |
| postgresql-9.1 - Object-relational SQL database,postgresql-9.3 - Object-relational SQL database,postgresql-9.5 - object-relational SQL database | Several security issues were fixed in PostgreSQL. | Medium |
CVE-2016-5423 CVE-2016-5424 |
USN-3066-1 | 16.2.2 | |
| openssh - secure shell (SSH) for secure access to remote machines | Several security issues were fixed in OpenSSH. | Medium |
CVE-2016-6210 CVE-2016-6515 |
USN-3061-1 | 16.2.2 | |
| openssh - secure shell (SSH) for secure access to remote machines | Several security issues were fixed in OpenSSH. | Low |
CVE-2015-8325 CVE-2016-1907 CVE-2016-1908 CVE-2016-3115 |
USN-2966-1 | 16.1.3 | |
| openssl - Secure Socket Layer (SSL) cryptographic library and tools | Several security issues were fixed in OpenSSL. | High |
CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 |
USN-2959-1 | 16.2.1 | ROBOT (CVE-2017-6168) |
| eglibc - GNU C Library,glibc - GNU C Library | GNU C Library could be made to crash or run programs if it receivedspecially crafted network traffic. | High | CVE-2015-7547 | USN-2900-1 | 16.1.3 | |
| linux - Linux kernel | The system could be made to crash or run programs as an administrator. | High | CVE-2016-0728 | USN-2870-1 | 15.3.1 |
Footnotes:
[A]. Patch to disable SACK processing in Linux stack will be available by early July 2019. Patch from Canonical will be packaged in 18.2.5 (July 29th 2019).
[B]. User space IP stack used for VIP traffic does not use RACK. No additional patch required.
[C]. Awaiting fixes from Canonical.
Document Revision History
| Date | Change Summary |
|---|---|
| September 16, 2020 | Added the DoS Vulnerability (CVE-2020-15598) in ModSecurity |
| September 16, 2020 | Added the Raccoon Attack in CVE-2020-1968 vulnerability |
| April 21, 2020 | Added OpenSSL vulnerability CVE-2020-1967 |